DevOps teams have embraced containers because they boost speed and flexibility in app development and delivery, and are ideal for microservices. In fact, by 2020 more than 50% of organizations will run containerized applications in production, up from under 20% in 2017, according to Gartner. Thus, security teams must prioritize protecting the applications that DevOps teams create with this OS virtualization method.

“We see container security as a significant new paradigm coming at us, which will bring a lot of change,” Qualys CEO Philippe Courtot said.

“Security automation is a simple term but to get a handle over that entire automated and ever-accelerating CI/CD (continuous integration and delivery) pipeline is becoming more and more difficult,” Awan said.

Responding to this need, Qualys offers a comprehensive security solution that monitors and protects containerized applications from the inside. In order to do that, Qualys technology collects granular behavior data about the application, providing deep visibility and enforcing normal application behavior for runtime protection.

Read on to learn about Qualys’ container security approach.

The allure of containers

“Everybody loves containers,” Awan said.

Because they package an application and its dependencies without a guest OS, containers offer advantages over VMs. Applications can be developed more quickly, are more lightweight and portable, and can be spun up and down faster.

They also run consistently regardless of the underlying computing infrastructure, making them highly portable. In addition, because they’re much slimmer, many more containers than VMs can be packed into a host, saving computing resource costs.

Securing containers

Container security challenges are primarily related to a lack of visibility, monitoring capabilities and control over their deployments. For example, container developers often use un-validated, buggy software components from public repositories, and deploy containers with weak configurations, resulting in applications that are highly vulnerable to hacker exploits.

Containers also communicate with each other via exposed network ports, bypassing host controls, and they’re hard to track because they’re so ephemeral, making them difficult to monitor. Furthermore, organizations have delegated even more container tasks to providers of increasingly popular container-as-a-service (CaaS) and orchestration-as-a-service offerings.

The Qualys approach

“Qualys provides a comprehensive solution for visibility and control for the entire lifecycle of containerized apps,” Awan said.

The Qualys container security solution gives security teams continuous discovery, tracking, and protection of containers in DevOps pipelines and deployments at any scale.

Awan explained that the traditional application security approach has been to either install an agent on the host, or monitor network traffic. Qualys believes the best way to protect a containerized application is from inside. “We layer in visibility and security in each application,” he said.

Qualys does this by replicating container images and embedding its security logic in them. That way, customers get very specific data about the application. “Anything that an app does, all of those activities, are captured and we automatically create a behavior profile,” he said.

That profile gets converted into detailed security policies which are enforced at the individual container level. That way, security teams can detect containers that drift from their normal behavior.

Qualys’ policy-based orchestration also stops vulnerable container images from being spun-up in Kubernetes clusters. In this way, Qualys’ solution enables teams to zero-in on host-level or container-level vulnerability and patch compliance.

The result: Deep visibility and runtime application protection for containerized and serverless “container as a service” workloads like AWS Fargate and Azure Container Instances. This is the right way to monitor and secure applications because the infrastructure stack changes constantly and is managed through offerings like AWS Fargate/Lambda and Azure Container Instances/Cloud Functions.

This approach is also inherently more secure than those based on privileged and elevated system capabilities, which give the privileged security containers access and control over all other containers, according to Awan. As was seen with the recently patched Kubernetes flaw (CVE-2018-1002105), it’s likely that similar vulnerabilities and threats will emerge, because adding root privileges to the layer that’s exposed to the external, hostile environment makes that layer a target for malicious activity.

By embedding visibility and security within the container itself, Qualys can monitor and control all container network, storage, and application calls from within each container. It also retains the portability and agility of containers by automatically moving and scaling with them.

In short, with Qualys’ solution, organizations can protect all phases of container deployment — the build, ship, and runtime stages, he said.

Build

In this phase, the main goal is keeping unsafe, vulnerable images out of your container repository. DevSecOps teams can perform vulnerability analysis right from their CI/CD tools after they’ve been integrated via REST APIs or via custom plug-ins with Qualys. Developers get automatically notified if the image fails, and can access detailed, actionable vulnerability information for fixing the issue.

Qualys also provides visibility into container images’ software composition, to know, for example, if open source packages are used, and how these packages licensed, Awan said.

Ship

In this phase, organizations should monitor for vulnerabilities and misconfigurations of the images already in their registries. Qualys inventories and scans images in on-premises registries and cloud-based registries.

Organizations can also schedule automated daily scans to detect newly-disclosed vulnerabilities and to check the new images being added to the repositories. That way, organizations can make sure they are enforcing compliance with internal and external standards and policies.

Runtime

When containers are deployed in production, it’s critical to have visibility and continuous monitoring of runtime environments, and to respond to breaches. With Qualys, organizations can detect vulnerable containers, identify where they are, and assess their potential impact based on how widespread they are in the environment.

Qualys also lets security teams validate images against security policies, and block unapproved images from being spun up as containers through integration with orchestrators to enforce compliance.

And finally, Qualys provides deep application-level visibility into all the container activites and enforces the normal behavior at an individual container level for application protection.

For more information about Qualys’ container security solution, please watch the video of Awan’s QSC talk, which includes more details, and a live demo.

Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Emmanuel Enaohwo is Senior Manager for Vulnerability/Configuration Management at Capital One

The security team would perform the assessment and create a report, which the DevOps team would use to carry out remediation. Then it would re-send the AMI for another check, which usually uncovered new issues. They’d go back and forth in a “fix / find / verify” loop, which typically took up to two weeks to complete.

Capital One wanted to shorten this security certification process for AMIs. The bank found the solution without having to look very far: The DevOps team was given API access to the security team’s Qualys vulnerability management and policy compliance tools.

This allowed developers to run the scans themselves, get a report instantly, start remediating immediately, and re-scan as needed, without involving the security team. Everything sped up dramatically.

“As soon as we introduced Qualys’ APIs into the environment, we cut the time to less than 24 hours,” Enaohwo said.

Capital One also seeds the Qualys Cloud Agent on every AMI that’s going to be deployed to production, so it’s alerted immediately about newly-discovered security and compliance issues on live instances.

After doing an initial comprehensive assessment of the IT, security and compliance status of each AMI, the agent from then on only reports changes, and it does so as soon as it detects them.

“In traditional VM programs you’re lucky if you scan once a week. Most people scan once a month. With the Qualys Cloud Agent, it’s almost real time,” Enaohwo said.

The Cloud Agent is lightweight, consuming negligible computing resources, and its OS support includes Windows, Linux, MacOS, and “cloud native” platforms, including AWS. It works in assets that are on premises, in clouds and remote endpoints.

There are no scan windows, since it’s always collecting data on assets it’s installed on, even when assets are offline. Since it only communicates outbound to the Qualys platform, there’s no need for credential and firewall management.

By installing the Cloud Agent on almost every AMI that passes through its DevOps “bakery” — excluding some third-party AMIs — Capital One has achieved 95% assessment coverage of its IP addresses.

“That’s something we couldn’t do before Qualys,” he said.

The agent has also boosted accuracy of detection of vulnerabilities and mis-configurations, slashing the number of false positives, and quickened scan data availability.

“All these KPIs (key performance indicators) are met because of the integration with DevOps using the Qualys Cloud Agent and APIs,” he said.

Next: Securing containers

Like other IT innovators, Capital One uses Docker containers to add speed and flexibility to its application development and delivery.

Containers are lighter and more ephemeral than virtual machines because they can be spun up without a guest operating system for each one. Applications can be smaller and more portable.

Containers have helped popularize microservices, a new architecture where applications are structured as independent, small, modular services, and which Capital One is leveraging.

However, containers bring security challenges, such as the use of un-validated software pulled from public repositories, which often contains unpatched vulnerabilities and weak configurations.

Recognizing the importance of securing container environments, Capital One is automating security and compliance checks on them similarly to how it’s doing it for AMIs.

Capital One chose Qualys Container Security, a cloud app that gives organizations continuous discovery, tracking and protection of containers in DevOps pipelines and deployments. Qualys Container Security’s native sensor is available as an image and is deployed as a ‘side-car’ unprivileged container on hosts.

Capital One is using Qualys Container Security’s plug-in for the Jenkins CI/CD (continuous integration / continuous delivery) tool, so that DevOps teams can scan container images themselves, and fix them immediately.

It was also familiar for members of the DevOps team acquainted with the AMIs’ automated security checks, because the same workflow and QIDs (Qualys IDs) are involved.

The role of the security team

Delegating vulnerability and compliance assessments to the DevOps team not only accelerated the AMI and container pipeline: It also has allowed the Capital One security team to focus on higher-level tasks, such as discovering assets and improving the accuracy of its CMDB’s data.

The team also establishes the security and compliance standards and thresholds that AMIs must meet before going live, and retains oversight of the entire process, including configuration-hardening procedures and vulnerability identification.

Enaohwo’s team also drafts reports from the scan data, customized for different constituencies, including the board of directors. It helps business units analyze scan findings, and generate remediation strategies and plans. The team also tracks remediation progress.

On the governance side, it’s responsible, among other things, for interfacing with compliance and audit, and handling documentation and process mapping.

“I always tell my team we’re not meant to do operations. We’re meant to drive change,” he said.

References

]]>https://blog.qualys.com/news/2018/12/04/capital-one-building-security-into-devops/feed0Infosec Teams Race To Secure DevOpshttps://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops
https://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops#respondWed, 28 Nov 2018 17:00:37 +0000https://blog.qualys.com/?p=25139With DevOps adoption spreading, infosec teams are scrambling to address the new security challenges stemming from DevOps’ accelerated code development and app deployment. But while IT organizations have made notable progress adapting security to their DevOps processes, work remains to be done.

That’s a key finding from SANS Institute’s “Secure DevOps: Fact or Fiction” report, which was discussed recently in a two-day webcast (Part 1 & Part 2) co-sponsored by Qualys. A revealing statistic: Under 50% of respondent organizations have fully “shifted left” to embed security throughout their DevOps pipelines, a figure that should be higher.

“Security is still being built in at the end, whereas risk reduction should start earlier in the software development lifecycle,” said Barbara Filkins, a SANS analyst. With security in the early stages of application design, “we can eliminate many issues that we’d see at the back end,” she said.

Threading security throughout DevOps also preserves the benefits of continuous and quick software delivery, like improved customer support and employee productivity.

“As a DevOps engineer, you’re looking to automate security at the speed of what business needs,” said Qualys Product Management Director Hari Srinivasan.

“The goal is enabling a transition from DevOps to secure DevOps that is factual, not fiction,” Filkins said.

Read on to learn about DevSecOps challenges, best practices and case studies.

Real world DevSecOps

Srinivasan described how several Qualys customers have successfully implemented DevSecOps by automating and integrating security and compliance checks.

At a large U.S. bank, in order to certify the security of its Amazon Machine Images (AMIs), the DevOps and security teams emailed scan reports and fix requests in a back-and-forth loop.

“It took about two weeks for each AMI to get certified,” Srinivasan said. With Qualys’ help, the bank revamped and automated the process.

The DevOps team was given API access to the security team’s Qualys vulnerability management and policy compliance products. This allowed developers to run scans themselves, get reports, remediate and re-scan as needed, without involving the security team. This shortened the process to under 24 hours.

The bank also seeds the Qualys Cloud Agent on every AMI deployed to production, so it’s alerted immediately about newly-discovered security and compliance issues on live instances. The agent has boosted accuracy of detection of vulnerabilities and mis-configurations, slashing false positives, and quickening scan data availability.

“This is an example of how security can be transparently embedded within DevOps processes,” he said.

The integration allows ACS to detect Azure VMs and deploy lightweight Qualys Cloud Agents in bulk to them. The agents gather vulnerability data and send it to the Qualys Cloud Platform, which in turn, provides vulnerability and system health monitoring data back to the ACS administrator.

“This shows how a vendor can transparently orchestrate security into the cloud provider space, removing the friction and overhead the IT ops team would have rolling out security tools,” Srinivasan said.

Srinivasan also highlighted:

How Qualys’ Web Application Scanning (WAS) product can be integrated via API with the popular Jenkins CI/CD tool so that DevOps teams can run security checks on applications at the staging, test/QA and development environments.

Infosec faces old and new challenges

A clear picture emerges from SANS’ survey of almost 300 organizations: Security teams are striving to keep up with DevOps teams’ constant use of emerging technologies, while also protecting legacy software.

In practice, this means infosec teams are learning how to secure serverless apps, containers, IoT systems and cloud workloads, as they also defend mature web, mobile and off-the-shelf apps.

“Legacy apps remain a priority but does it divert the attention from the new platforms and risks that are rapidly becoming mainstream?” Filkins said.

(Source: Secure DevOps: Fact or Fiction? SANS Institute)

Thus, infosec teams must strike the right balance, so that they don’t fall behind with either set of apps. That’s easier said than done, of course.

“Almost everyone we surveyed is dealing with serious technical and security debt issues with their legacy systems,” said SANS analyst Jim Bird.

DevOps: Full speed ahead

Meanwhile, DevOps teams aren’t slowing down. Their frequency of system changes deployed to production apps increased notably from last year.

“Security teams must keep up — or get left behind,” Filkins said.

They’re trying. Respondents testing business-critical apps twice or more per month rose from 13% to 24% this year. Organizations testing daily and continuously almost doubled.

Unfortunately, the percentage of vulnerabilities repaired promptly and satisfactorily increased only marginally. “Time to patch shows no improvement, or at least not enough,” Filkins said.

The reason may be surprising. “It’s not because they can’t,” Bird said. Management either doesn’t allow or doesn’t encourage them to.

Organizational issues affect DevSecOps success in general, taking the form of skills and personnel shortages, inadequate budgets, and communication silos.

Best practices

Also fundamental: “Shifting left,” so that security is integrated and automated throughout the software development and delivery cycle.

However, the survey reveals that more than half of respondents aren’t meshing security until the development stage or later ones, like QA and implementation.

“That’s a little too late to start thinking about security because it becomes a bolt-on, instead of a holistic approach in the application design,” Filkins said.

In fact, when respondents were asked about DevSecOps success factors, the top one was the integration of automated security testing into build / delivery tools and workflows.

Other DevSecOps success tips from SANS include:

Making security transparent and adding it into engineering backlogs

Addressing organizational issues

Making engineers responsible for building secure code, and providing them with the necessary training and tools

Creating security champions throughout the organization

Improving communication and collaboration between DevSecOps and management, and building cross-functional teams

Measuring improvement

Once organizations have a DevSecOps program, they should evaluate its effectiveness. SANS recommends tracking metrics like:

Time to fix vulnerabilities

Security issues discovered post-deployment

Builds delayed due to security issues

Human hours spent resolving security issues

The common denominator here — and ultimate goal — is speed of delivery.

“As the velocity of delivery increases, the security program has to enable velocity, not slow it down,” Bird said.

We invite you to view the webcasts and download the report, where you’ll find many more details about DevSecOps challenges and best practices.

]]>https://blog.qualys.com/news/2018/11/28/infosec-teams-race-to-secure-devops/feed0Securing Container Deployments with Qualyshttps://blog.qualys.com/news/2018/08/30/securing-container-deployments-with-qualys
https://blog.qualys.com/news/2018/08/30/securing-container-deployments-with-qualys#respondThu, 30 Aug 2018 14:53:57 +0000https://blog.qualys.com/?p=24947With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and unobtrusive.

Accomplishing this requires an understanding of Docker container technology and the adoption of processes and tools tailored for these environments. In a recent webcast, Qualys Director of Product Management Hari Srinivasan, an expert on cloud and container security, outlined container security risks, use cases, and best practices.

DevOps benefits, security challenges

Because they package an application and its dependencies without a guest OS, containers offer developers key advantages over VMs. For example, applications can be developed more quickly, are more lightweight and portable, and can be spun up and down faster. They also run consistently regardless of underlying computing environments. Containers can be run within virtual machines or on “bare metal” servers, and in clouds or on-premises.

All of these characteristics make containers “extremely interesting for DevOps teams,” he said.

In particular, containers are ideal for microservices, a popular architecture in which applications are structured as independent, small, and modular services. Unsurprisingly, by 2020 more than 50% of global organizations will be running containerized applications in production, up from less than 20% in 2017, according to Gartner. However, containers create their own security and compliance issues. In fact, security is the biggest challenge cited by organizations deploying containers, according to Forrester.

Container security issues include the use of un-validated software from public repositories, which often has unpatched vulnerabilities, and the deployment of containers with weak configurations, Srinivasan said. In addition, containers communicate directly with each other via exposed network ports in a way that bypasses host controls, and they are hard to track because they’re so ephemeral. Organizations also often lack proper governance to prevent unauthorized access to container environments.

“These are primary threats around containers,” he said.

Container security goals

As they map container security plans, security teams should pursue four main goals.

Obtaining visibility across their container environment by discovering and tracking all deployments — on-premises and in clouds. “If you gain visibility about where your containers are deployed, you’ll be able to track the sprawl and scale of this container environment,” Srinivasan said.

Manage vulnerabilities within containers, making sure your tool keeps false positives to a minimum, and prevent and detect intrusions.

Choose container security tools that are adaptive and can be integrated with DevOps products via REST APIs or custom plug-ins.

Rethink patching, because vulnerable containers are instead terminated and replaced.

When choosing a container security tool, organizations will find three different options.

The first type of tool is deployed within Docker hosts as an agent. This isn’t a good option if the security team lacks access to the host, which is often the case in public cloud environments, Srinivasan noted.

Then there are tools that are deployed within a container as a daemon or agent, but this option isn’t always favored by developers.

The third model — Qualys’ choice — are tools that deploy as “side-car” containers, running across every host alongside other containers. “This is adaptable and suitable for a wide range of environments,” he said.

Protecting the container pipeline with Qualys Container Security

It has a native container sensor that can be downloaded as a Docker image and deployed as a side-car container on every Docker host. Since it is available as a Docker image, it can be managed easily with container orchestration tools and deployed across all the nodes of the cluster automatically.

With Qualys CS, organizations can protect all phases of container deployment — the build, ship, and runtime stages.

Build

“In the build phase, the primary goal from a security standpoint is to avoid having vulnerable images, or images with conflicts, from entering your repository,” he said.

This is especially important for images pulled wholly or in part from a public repository, a common developer practice.To keep unsafe images out of repositories, Qualys CS enables DevSecOps teams perform vulnerability analysis via REST APIs or via custom plug-ins for CI/CD tools.

Qualys CS has a plug-in for Jenkins, and soon will for other such tools including Bamboo, Microsoft VSTS, Git Lab, TeamCity, and CircleCI, Srinivasan said. After downloading the plug-in, the security team establishes “fail” thresholds for images, such as the presence of a specific vulnerability, or of any vulnerability above a certain severity level.

Developers get automatically notified if the image fails, and can access detailed information about the vulnerability for fixing the issue. “Developers have actionable data directly in the build environment itself, so they don’t need to leave their console. They have this information to remediate and update their image,” he said.

The security team can configure the security controls for Jenkins environments globally via the policy rules feature in their Qualys portal.

Ship

In this phase, organizations should inventory and scan for vulnerabilities the images already in their registries, which host and distribute images, and in their repositories, which are collections of related images.

With Qualys CS, organizations can inventory and scan images on on-premises registries like Artifactory and Nexus, and on cloud-based registries like the ones from Amazon AWS, Microsoft Azure and Google Cloud.

It’s important to schedule automated daily scans to detect newly-disclosed vulnerabilities and to check the new images being added to the repositories. That way, organizations can make sure they are “enforcing the standards to check for any new vulnerabilities that might creep into the process, or at the same time to ensure that anything in flight isn’t modified when the image moves from the build to the registry,” Srinivasan said

Another best practice is to check that images come from sources that are trusted and reputable, and that keep their images current and scrubbed of disclosed vulnerabilities. It’s recommended to use notary services to sign images and ensure only trusted images are being used in your environment.

Qualys CS will have support for adding policies to let users mark trusted repositories and registries, and flag and enforce any deviation from that policy.

“This will ensure that whatever you ship is what’s being run on your host, and at the same time providing you with the visibility into what registries are being used by your company, and what images are part of that registry,” he said.

Runtime

When container images are available for production use, it’s critical to have visibility and continuous monitoring of runtime environments, as well as to prevent and respond to breaches.

With Qualys CS, organizations can detect vulnerable containers, identify where they are, and assess their potential impact based on how widespread they are in the environment.

A key here is to flag containers already running on the system that are breaking off from the “immutable” behavior of their parent image, which could indicate a breach. As is well known, containers follow the image, so it’s key to identify the behavior of the containerized application and detect suspicious deviations, such as unexpected system calls, processes and communications.

Qualys CS enables security teams to enforce countermeasures, such as blocking or quarantining these containers, and drill down into the details of the anomalies to understand the issues, Srinivasan said.

Qualys CS also lets security teams validate images against security policies, and block unapproved images from being spun up as containers through integration with orchestrators.

Secure your container environments with Qualys

We hope this post has helped you better understand the particular security challenges of containers, and how Qualys CS can help you address them throughout their lifecycle:

Blocking vulnerable images from entering repositories during the build phase;

Securing images pushed to your registries in the ship phase;

And scanning in production during the runtime phase to identify and manage compromised containers.

Specifically, organizations can organically build security into this new, hybrid IT infrastructure, instead of abruptly bolting it on as has been done traditionally — and ineffectively. Meshing security in natively requires a unified security and compliance platform for detection, prevention and response.

Today, many organizations have a fragmented, siloed strategy that doesn’t provide the needed visibility because it’s based on accumulating point products that don’t scale, are costly to deploy and maintain, and complex to integrate.

“This is why security is so far behind,” Thakar said during his keynote.

“The effort and resistance that goes into putting together the information that’s required to make decisions is very costly, very time-consuming, and not accurate,” he added.

Qualys Cloud Platform: Built for Securing the Digital Transformation

The Qualys Cloud Platform has been architected with the goal of simplifying security by eliminating friction and making it as intuitive and automated as possible.

It’s what Thakar calls “transparent orchestration,” which he says is the future of security, and a key guiding principle and goal for Qualys, as evidenced by the platform’s design and operation:

A robust, massively scalable backend stores and processes the data with its various analytics and reporting engines, and presents it in a unified “single pane of glass” view of the organization’s security posture

An integrated suite of centrally-managed, self-updating cloud applications now cover almost 20 security and compliance tasks, including vulnerability management and container security, with more apps in development

In all, the Qualys Cloud Platform detects 1+ trillion security events per year, conducts 3+ billion IP scans and audits per year with Six Sigma accuracy (99.99966%), and has indexed 250+ billion data points in its elastic search clusters.

With this cloud architecture, the Qualys Cloud Platform is uniquely designed for protecting today’s hybrid IT environments, including the DevOps pipelines where digital transformation projects are built and deployed.

With its integrations into public cloud platforms such as AWS and Azure, and with its cloud security apps, Qualys can protect the entire DevSecOps lifecycle, from the development to the production stages.

“We’ve really focused on bringing the capabilities of DevOps and SecOps together into a single view,” Thakar said.

The Qualys Cloud Platform provides unparallelled end-to-end discovery, prevention, detection and response capabilities. “If this is all providing you real-time visibility, your response now becomes significantly easier and much more accurate, because you’re looking at information that’s well groomed,” he said.

Roadmap

Thakar highlighted a number of recently-released and upcoming apps and technologies:

Cloud Inventory, available now, for a complete inventory of all your cloud assets across AWS, Azure, Google Cloud and other cloud platforms

Cloud Security Assessment, available now, for continuous monitoring and assessment of your cloud assets and resources for misconfigurations and non-standard deployments

Certificate Inventory, available now, for a full inventory of TSL/SSL digital certificates on a global scale

Mobile Security Platform, based on Qualys’ 1Mobility acquisition and due in beta in Q4, for detailed security assessment and policy enforcement of mobile devices

With these and other recent and upcoming releases, Qualys is extending its reach and allowing customers to replace more point tools and further consolidate their security stacks on the Qualys Cloud Platform.

“We’re really dedicated towards enhancing our platform,” he said.

You can watch a recording of Thakar’s keynote, which goes into a lot more detail, features demos of several products and includes a Q&A session with the audience.

]]>https://blog.qualys.com/news/2018/06/15/qsc18-virtual-edition-building-security-in-the-qualys-cloud-platform-and-architecture/feed0DevSecOps: Practical Steps to Seamlessly Integrate Security into DevOpshttps://blog.qualys.com/news/2018/05/16/devsecops-practical-steps-to-seamlessly-integrate-security-into-devops
https://blog.qualys.com/news/2018/05/16/devsecops-practical-steps-to-seamlessly-integrate-security-into-devops#respondWed, 16 May 2018 16:00:29 +0000https://blog.qualys.com/?p=24631To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings.

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Protect your DevOps pipeline with Qualys

These apps, which can be integrated with DevOps tools via open APIs, are fed data from a variety of Qualys sensors. These sensors, which collect IT, security and compliance information from organizations’ IT assets on-premises and in cloud environments, include:

Whether you have a public or a custom image, you would scan it either with a Qualys scanner via APIs or with a Qualys Cloud Agent, identify vulnerabilities and misconfigurations, prioritize remediation, and fix the problems. Once that process is completed, you will end up with a hardened base instance, on which you can seed a Qualys Cloud Agent before releasing it to production.

When the approved gold image is in production, Qualys helps you monitor and track its security posture via dynamic and interactive dashboards. In those, you can search and tag instances based on attributes, and use pre-built or custom widgets to monitor deployments.

In addition, the Qualys Cloud Connector for AWS continuously discovers instances and collects their metadata including AMIs using API integration. Connectors may be configured to connect to one or more AWS accounts with user-provided, read-only credentials. That way, they can automatically detect and synchronize changes to virtual machine instance inventories from all Amazon EC2 Regions and Amazon VPCs.

As with AWS, Qualys has similar native integrations with Microsoft Azure and Google Cloud Platform to do vulnerability management, policy compliance, malware detection, web app scanning and other critical tasks on your cloud instances.

For example, Qualys has integrated the Cloud Agent with Microsoft’s Azure Security Center console to secure Azure Virtual Machines in DevOps pipelines. Thus, Windows admins who may know little about security or about Qualys, can turn on vulnerability management from their ASC console with a few clicks.

That way, the agents automatically and continuously collect vulnerability data on Azure VMs, send it to Qualys Cloud Platform for analysis, and ship it back to the ASC console.“This is a cloud-to-cloud integration where the Windows sysadmins don’t know they’re using Qualys, nor about the API. They see the findings directly in ASC, and that becomes very powerful,” Carlson said.

With these capabilities, Qualys customers are able to use the same tools for detecting and visualizing vulnerabilities across their entire IT environment. “You get a single UI, a single platform, from DevOps to production,” he said.

Qualys customers are already making this scenario a reality

A bank app is born in the cloud with integrated security

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, and integrated security into the DevOps process from day one. “IT, Dev and Ops partnered from the beginning, and leveraged each other’s technologies,” Carlson said.

From the DevOps side, the app was born in AWS: planning, testing, regression, staging, build, deployment, and production. Complete new builds of the app are produced and deployed into AWS every 60 days.

To keep up this speed, they’ve created automated regression and test-driven development so they can quickly and easily find any functional defects created or introduced between builds. Docker containers are used to abstract the app from the OS, which lets the bank iterate on the apps faster without being constrained by dependencies in the underlying OS.

“This is IT transformation right here, and with security built in from the beginning,” he said.

Meanwhile, the security team transparently integrated vulnerability and compliance assessment into the DevOps process from the first day. Code vulnerabilities are fixed in the same software-release cadence. The bank checks for vulnerabilities in both commercial and open source software used in the project.

That way, the bank can find and fix those vulnerabilities, and verify they’ve been properly fixed on the same release cadence. The automated regression for functional testing is also applied to more quickly find issues with patches and vulnerability remediation.

Because they’re using Docker containers, IT teams can apply security patches to OS vulnerabilities at a separate cadence from application vulnerabilities, without worrying that patches to one will break the other. Consequently, this app ships with much fewer severe vulnerabilities than average legacy apps.

And the mobile wallet app vulnerabilities that do make it through into production — as well as the newly disclosed vulnerabilities that impact production applications — are patched much more frequently and consistently than in legacy apps.

Investment firm automates web app security in DevOps environments

With software written at breakneck speed in DevOps pipelines, it’s hard to keep up with all the development activities, so all applications need automated testing, because manual testing is costly and slow, and doesn’t scale. That’s what a large financial investment firm and Qualys customer with about 400 web apps in production discovered.

After scanning their production web applications with Qualys Web Application Scanning (WAS), the company found it had a lot of easy-to-remediate web app vulnerabilities like cross-site scripting (XSS) and SQL injection, which were harder to fix if the application is already running in production.

The security teams worked with application development leaders and agreed that these types of web app vulnerabilities were as much as an error in software coding as complex security issues.

To address the issue going forward, the company integrated Qualys WAS into its agile software development process by executing web app scans programmatically via the WAS API at the same time they perform automated functional testing.

Scan outputs were retrieved via the API, and tickets were automatically created to remediate XSS and SQL Injection vulnerabilities in the next development sprint, prior to production deployment.

This dramatically lowered the number of vulnerabilities present in production apps without the need to buy more point solutions, which would have increased the company’s security budget and vendor management tasks.

Qualys Container Security

Qualys continues to deepen its WAS app’s ability to integrate with DevOps environments. For example, it recently released a plug-in for the Jenkins CI/CD (continuous integration / continuous deployment) automation server.

In addition, Qualys has an app for securing Docker containers, which are all the rage among developers because they allow applications to be created and deployed more quickly and efficiently, and with more portability.

For security, containers represent a challenge, because they churn much faster than virtual machines, and are much more lightweight because they can be spun up without provisioning a guest operating system for each one.

Container Security, now in beta, has been designed to help InfoSec teams for continuous discovery, tracking and protection of containers in DevOps pipelines and deployments at any scale. Specifically, Qualys CS offers:

Discovery, inventory, and near-real time tracking of container events

Vulnerability analysis for image registries and containers

Event and change tracking, so you know who is making changes and have an audit trail

REST APIs integration

Qualys CS also features a native container sensor, which is distributed as a Docker image. Users can download and deploy these sensors directly on their container hosts, add them to the private registries for distribution, or integrate them with orchestration tools for automatic deployment across elastic cloud environments.

How can you get started with Qualys in your DevSecOps projects?

Carlson outlined a series of practical steps to establish a strong security program using DevSecOps that’s driven by concrete metrics and by financial benefits.

Next Week

Inventory current security tools, and determine which are DevOps friendly using criteria like: Can they be integrated via APIs with DevOps tools? Can they automate processes? Do they have self-service UIs that developers could use to do their own security assessments?

Identify development teams using DevOps, and see if they’re open to integrating security into their process.

Start with an internal, simple “safe” project, as opposed to aiming for a major one with sky-high stakes for the business.

DevOps isn’t limited to cloud computing projects, so look for opportunities to collaborate with teams building on-premises apps.

Next Quarter

Integrate Qualys into one development lifecycle, and collect metrics that show concrete improvements and benefits attained after security was meshed with the DevOps process.

Measure outcomes by documenting things like the decrease in the number of vulnerabilities and configuration issues in apps before they ship to production environments.

Host a project summit to present your project successes and evangelize DevSecOps to other groups.

Next 6 Months

Create a DevSecOps architecture for on-premises and cloud

Streamline your security toolset by replacing point solutions with Qualys Cloud Apps. This will allow you to cut costs and ensure your organization is using the most effective products.

Implement self-service and API-based DevSecOps programs to extend and facilitate the use and integration of security tools within the DevOps pipeline.

Expand to more projects to make DevSecOps a foundational, widespread practice across your organization.

Present at conferences and user groups on DevSecOps and become a DevSecOps thought leader inside and outside your organization.

We invite you to listen to a recording of the webcast, which has a lot more details about this topic, and a Q&A session with the audience.

]]>https://blog.qualys.com/news/2018/05/16/devsecops-practical-steps-to-seamlessly-integrate-security-into-devops/feed0Securing the Hybrid Cloud: A Guide to Using Security Controls, Tools and Automationhttps://blog.qualys.com/news/2018/05/15/securing-the-hybrid-cloud-a-guide-to-using-security-controls-tools-and-automation
https://blog.qualys.com/news/2018/05/15/securing-the-hybrid-cloud-a-guide-to-using-security-controls-tools-and-automation#respondTue, 15 May 2018 16:00:57 +0000https://blog.qualys.com/?p=24627

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, an increasingly common decision among enterprises.

A less common step taken by this multinational bank and Qualys customer was incorporating the security team from day one. It recognized that the safety of the application was as critical for its success as its feature functionality.

In doing so, this bank tackled a challenge that organizations face as they move workloads to public cloud platforms: Protecting these new cloud workloads as effectively as their on-premises systems, but with processes and tools that are effective in both environments.

In a recent webcast, SANS Institute and Qualys experts addressed this issue in detail, offering insights and recommendations for security teams faced with protecting hybrid IT infrastructures’ assets on premises and in public clouds.

Cloud adoption triggers new security needs

In pursuit of digital transformation benefits, organizations are aggressively moving more workloads to public clouds, expanding from straightforward software-as-a-service (SaaS) applications to more involved platform- and infrastructure-as-a-service (PaaS and IaaS) deployments.

As this happens, InfoSec teams find that safeguarding these environments can be complex. “Security teams have rallied around the idea that this is something they need to live with,” Dave Shackleford, a SANS analyst and instructor, said during the webcast.

For example, having visibility into their workloads and assessing their security posture can be challenging, given that they have less control over these multi-tenant cloud platforms. InfoSec teams also need to figure out which new tools, expertise and staff they may need to acquire.

Recently, there have been many incidents where organizations have left cloud storage buckets unprotected, exposing confidential business and customer data publicly on the Internet. For example, The Los Angeles Times left an Amazon AWS S3 bucket open with read and write access. Hackers inserted malicious code into the newspaper’s website and used visitors’ browsers to mine cryptocurrency.

“We’ve got to do the due diligence, and it’s up to us to lock down this kind of stuff,” Shackleford said.

Steps to take

To properly adapt and map on-premises security controls and processes to public cloud environments, SANS recommends the following:

Continually update risk assessment and analysis governance practices. That way, you can review cloud providers’ security controls, capabilities, and compliance status, as well as internal development and orchestration tools and platforms. They must also review operations management and monitoring tools, and security tools and controls both in-house and in the cloud. This should give security teams clarity into what controls are currently in place, how they’ll need to be modified, and what are the most pressing issues.

Establish a set of configuration items to develop and maintain for cloud-based systems, including OS version and patch level; local users and groups; permissions on key files; and hardened network services.

Scan and assess vulnerabilities continuously and throughout cloud instances lifecycles using either or both of these two methods:

Relying on APIs to avoid manual requests to perform more intrusive scans on a scheduled or ad hoc basis

Relying on host-based agents that can scan their respective virtual machines on a continuous basis, with reporting of any vulnerabilities noted

“If you’re looking at cloud workloads as these enormously dynamic, ever changing, environments, you’ve got to bake in a vulnerability management strategy from the definition of the environment in a completely automated way,” he said.

Monitor complex, virtualized IaaS environments using a host-based tool whose agent reports to a management server, and send logs and events to a central collection platform. Logs and events generated by services, apps and OSes in the cloud environment can include:

— Unusual user logins or login failures

— Large data imports or exports to and from the cloud environment that weren’t anticipated

— Privileged user activities

— Changes to approved system images; to privileges and identity configuration; and to logging and monitoring configurations

— Access and changes to encryption keys

— Cloud-provider and third-party threat intelligence

Logging and event management aren’t new, but what’s new is the volume of logs generated in cloud environments. “It’s staggering, so people have to dig in there and go: ‘What do I really want to see here?’ And put some priorities around some of that,” Shackleford said.

Adopt new “cloud native” security tools designed for these highly virtualized, multi-tenant public cloud environments. These security-as-a-service (SecaaS) tools integrate with cloud platform components via APIs, a new model for implementing security controls.

In this manner, DevOps becomes DevSecOps, with security integrated throughout the software development and delivery pipeline. In the DevOps and “infrastructure as code” world, everything is software-defined, including servers (mostly VMs), containers, application stacks, networks, and access models. “Security needs to be defined in this way, as well,” Shackleford said.

Automated controls that security teams need to implement for each phase of the DevOps pipeline include the following:

— Monitoring of deployed instances through installed agents or continuous scanning within the cloud environment

— Assessment of container images in the registry and as promoted/launched in production

Because containers require access to code repositories to install and configure software packages, security teams need tools that can scan container environments, as well as test the container daemon and its configuration, validate the containers running on the container host, and review the container security operations.

Avoid silos of controls and point solutions from a single vendor or narrow cloud-native options. Instead, security teams should consider flexible and extensible SecaaS offerings for implementing controls in one or multiple cloud platforms.

“Hybrid cloud is the move. That’s where we’re all headed,” he said.

Securing hybrid IT environments with Qualys

The Qualys Cloud Platform and its suite of security and compliance Cloud Apps are ideally suited for protecting cloud and container DevOps pipelines, where the web apps that power digital transformation projects are created.

“Digital transformation is being powered by IT innovation, and security can’t be an afterthought,” said Chris Carlson, Vice President of Product Management at Qualys. “We need to bake security into this new infrastructure.”

With Qualys, you can integrate and automate security throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — and build it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

“If you can get a handle on this, you’re better prepared as your IT counterparts are innovating very quickly in terms of their technology choices,” Carlson said.

The Qualys Cloud Platform sensors – available as physical and virtual scanners, and as lightweight agents – are always on, remotely deployable, centrally managed and self-updating, enabling true distributed scanning and monitoring of all areas of today’s hybrid IT environments

Specifically, the Qualys Cloud Agent extends security throughout an IT environment, by working where it’s not possible or practical to do network scanning, including in static and ephemeral cloud instances.

How Qualys secures DevOps in public clouds

After integrating Qualys into their DevOps pipeline, organizations obtain a clear picture of the vulnerabilities and mis-configurations of their OSes and web applications. They’re also able to remediate these security problems before launching an app into production. And by placing the Qualys Cloud Agent into the DevOps environment, they obtain continuous monitoring.

For example, in an AWS environment, after creating an AMI (Amazon Machine Image), sample instances are spun up and Qualys scans on them. After identifying and fixing the vulnerabilities and mis-configurations, the security team ends up with a hardened AMI base instance, where they place a Qualys Cloud Agent on it, and release it to production.

Qualys functionality for vulnerability management, policy compliance and web application scanning is supported via REST APIs so you can programmatically integrate it with your DevOps tools.

Once AMIs have been released live, Qualys monitors and tracks their security posture via dynamic and interactive dashboards. There you can search and tag instances based on attributes, and use pre-built or custom widgets to monitor deployments, all via a “single pane of glass” UI.

In addition, the Qualys Cloud Connector for AWS continuously discovers instances and collects their metadata including AMIs using API integration. As with AWS, Qualys has similar native integrations with Microsoft Azure and Google Cloud Platform.

How Qualys secures containers in DevOps

Docker containers churn much faster than virtual machines, and are much more lightweight because, unlike VMs, they can be spun up without provisioning a guest OS for each one. This is why they’re so popular in DevOps teams, as they let developers create and deploy applications more quickly and efficiently, and with an increased level of portability.

Qualys Container Security helps InfoSec teams with continuous discovery, tracking and protection of containers in DevOps pipelines and deployments at any scale, according to Carlson. Specifically, Qualys CS offers:

Discovery, inventory, and near-real time tracking of container events

Vulnerability analysis for image registries and containers

Event and change tracking

REST APIs integration

Qualys CS also features a native container sensor, which is distributed as a Docker image. Users can download and deploy these sensors directly on their container hosts, add them to the private registries for distribution, or integrate them with orchestration tools for automatic deployment across elastic cloud environments.

About that mobile wallet app …

Let’s circle back to the large bank’s mobile wallet, and how security was integrated into its development and deployment using Qualys. “IT and security partnered from the beginning, and leveraged each other’s technologies,” Carlson said.

From the DevOps side, the app was born in the cloud, with everything in AWS: planning, testing, regression, staging, build, deployment, and production. Complete new builds of the app are produced and deployed into AWS every 60 days.

To keep up this speed, they’ve created automated regression and test-driven development so they can quickly and easily find any functional defects created or introduced between builds.

Docker containers are used to abstract the app from the OS, which lets the bank iterate on the apps faster without being constrained by dependencies in the underlying OS.

Meanwhile, the security team transparently integrated vulnerability and compliance assessment into the DevOps process from the first day:

Code vulnerabilities are fixed in the same software-release cadence. The bank checks for vulnerabilities in both commercial and open source software used in the project.

“They can find and fix those vulnerabilities, and verify they’ve been properly fixed on the same release cadence. They don’t wait until the app goes into production to do an assessment after the fact,” he said.

The automated regression for functional testing is also applied to more quickly find issues with patches and vulnerability remediation.

Because they’re using Docker containers, IT teams can apply security patches to OS vulnerabilities at a separate cadence from application vulnerabilities, and patch them separately without worrying that patches to one will break the other.

Consequently, this app ships with much fewer severe vulnerabilities than average legacy apps. And the mobile wallet app vulnerabilities that do make it through into production — as well as the newly disclosed vulnerabilities that impact production applications — are patched much more frequently and consistently than in legacy apps, driving towards the goal of “zero vulnerabilities”.

]]>https://blog.qualys.com/news/2018/05/15/securing-the-hybrid-cloud-a-guide-to-using-security-controls-tools-and-automation/feed0Securing your Cloud and Container DevOps Pipelinehttps://blog.qualys.com/news/2018/03/29/securing-your-cloud-and-container-devops-pipeline
https://blog.qualys.com/news/2018/03/29/securing-your-cloud-and-container-devops-pipeline#respondThu, 29 Mar 2018 16:00:58 +0000https://blog.qualys.com/?p=24489Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments.

Driving this growth in cloud computing adoption is its essential role in digital transformation initiatives, which help businesses be more efficient, effective, flexible and innovative in areas like e-business, supply chain management, customer support and employee collaboration.

Digital transformation projects are typically delivered using web and mobile apps created in DevOps pipelines, where developers and operations staff work collaboratively at every step of the software lifecycle, releasing apps or app updates frequently.

But security must be integrated throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — in an automated way, organically building it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

In a recent webcast, Hari Srinivasan, Qualys’ Director of Product Management for Cloud and Virtualization Security, explained how Qualys can help you secure your cloud and container deployments across your DevOps pipeline.

DevSecOps: Automating security

DevSecOps engineers must ask themselves a number of key questions regarding the automation of security checks in the DevOps development and deployment pipeline, according to Srinivasan.

Atop the list is whether their team is able to identify vulnerabilities and other security issues during the appdev build process, so that they can be remediated at this stage. Second is to find out if the necessary security checks can be automated and meshed into the DevOps CI/CD (continuous integration / continuous deployment) tool chain.

Also important: Determining whether it’s possible to obtain security information that the application owner and the developers can understand and act upon. And last but not least is to see if security information can be transmitted downstream for processing in SIEM and ticket systems.

Qualys secures DevSecOps in clouds

There are three main uses cases Qualys supports for securing DevOps in cloud deployments.

First, after integrating Qualys into your DevOps pipeline, you’ll be able to obtain a clear picture of the vulnerabilities and mis-configurations of your operating systems and web applications. Second, you’ll be able to remediate these security problems before launching an app or a chunk of code into production. Finally, you’ll have the chance to place the lightweight and versatile Qualys Cloud Agent into your DevOps environment to provide continuous monitoring.

For example, in an AWS environment, after creating AMI (Amazon Machine Image), you spin up sample instances and run Qualys scans on them.

After identifying and fixing the vulnerabilities and mis-configurations, you would end up with a hardened AMI base instance, and proceed to seed a Qualys Cloud Agent on it, before releasing it to production.

“Because Qualys Agents are lightweight, they’re extremely suited for embedding into an image, and provide instant visibility when these environments are deployed,” Srinivasan said.

Qualys functionality for vulnerability management, policy compliance and web application scanning is supported via REST APIs so you can programmatically integrate it with your DevOps tools.

Once AMIs have been released live, Qualys helps you monitor and track their security posture via dynamic and interactive dashboards in which you can search and tag instances based on attributes, and use pre-built or custom widgets to monitor deployments.

“There’s one widget you can add that tracks if there are instances that are being spun up from an unapproved AMI,” Srinivasan said.

In addition, the Qualys Cloud Connector for AWS continuously discovers instances and collects their metadata including AMIs using API integration. Connectors may be configured to connect to one or more AWS accounts with user-provided, read-only credentials. That way, they can automatically detect and synchronize changes to virtual machine instance inventories from all Amazon EC2 Regions and Amazon VPCs.

As with AWS, Qualys has similar native integrations with Microsoft Azure and Google Cloud Platform to do vulnerability management, policy compliance, malware detection, web app scanning and other critical tasks on your cloud instances.

How Qualys secures containers in DevOps

If the elasticity, agility and speed of virtualized cloud environments are a challenge, container technology takes everything up a notch. Docker containers churn much faster than virtual machines, and are much more lightweight because, unlike VMs, they can be spun up without provisioning a guest operating system for each one.

This is a big reason for their raging popularity in DevOps teams, as they let developers create and deploy applications more quickly and efficiently, and with an increased level of portability. Applications can be smaller, often focused on one or a few capabilities, and be more easily distributed across an IT environment.

Qualys Container Security, now in beta, has been designed to help InfoSec teams for continuous discovery, tracking and protection of containers in DevOps pipelines and deployments at any scale. “It provides you with total visibility and continuous security for containers,” Srinivasan said.

Specifically, Qualys CS offers:

Discovery, inventory, and near-real time tracking of container events

“With Qualys CS, you can identify the environment where containers are deployed, the source of those containers, and where these images are stored. You can also ensure that discovery is being done on a continuous basis,” he said.

Vulnerability analysis for image registries and containers

Qualys CS provides high accuracy vulnerability scanning of images, registries and containers in addition to the underlying host operating system, across the complete chain. This includes a plug-in for Jenkins which users can use to identify the vulnerabilities in the images in the build process.

Event and change tracking

“Qualys CS gives you the ability to identify what events are happening in those container environments, and who’s making the change, so it provides you with an audit trail of events,” he said. With that information in hand, you can flag malicious behavior, raise alerts and do anything else necessary to mitigate the issues.

REST APIs integration

All Qualys CS functionality is available via APIs so you can integrate that with your CI/CD toolchain.

In addition, Qualys CS features a native container sensor, which is distributed as a Docker image. Users can download and deploy these sensors directly on their container hosts, add them to the private registries for distribution, or integrate them with orchestration tools for automatic deployment across elastic cloud environments.

“Qualys Container Security provides you with an automated capability of continuously assessing security across the complete pipeline, be it the ‘build’, be it the ‘registry’ where images are hosted, and additionally the ‘runtime’ environment,” Srinivasan said. “It spans across the entire pipeline chain.”

The release also includes a Jenkins plug-in for vulnerability analysis. The entire feature is available as REST APIs for both the CI/CD tool chain integration and also the for the southbound tools like ticketing systems and SIEM tools.

We invite you to listen to a recording of the webcast, which has a lot more details about these topics and about Qualys Container Security, as well as a live demo of the product and a Q&A session with the audience.

]]>https://blog.qualys.com/news/2018/03/29/securing-your-cloud-and-container-devops-pipeline/feed0Webcast Q&A: DevSecOps – Building Continuous Security Into IT and App Infrastructureshttps://blog.qualys.com/news/2017/11/08/webcast-qa-devsecops-building-continuous-security-into-it-and-app-infrastructures
https://blog.qualys.com/news/2017/11/08/webcast-qa-devsecops-building-continuous-security-into-it-and-app-infrastructures#respondWed, 08 Nov 2017 16:55:35 +0000https://blog.qualys.com/?p=24154As organizations adopt DevOps to create and deliver software quickly and continuously — a key step for supporting their digital transformation initiatives — they must not overlook security. In DevOps, development and operations teams add agility and efficiency to software lifecycles with automation tools and constant collaboration, but the added speed and flexibility can backfire if security is left out.

Rather, organizations should bake security personnel, tools and processes into the process to end up instead with DevSecOps, a topic whose business and technology aspects were explored in depth during a recent webcast by Qualys Product Management VP Chris Carlson and SANS Institute Analyst John Pescatore.

In this blog post, we’re providing an edited transcript of the question-and-answer portion of the webcast, during which participants asked Carlson and Pescatore about a variety of issues, including the dangers of using Java, the right tools for DevSecOps, and the best way to embed security into the process. We hope you find their explanations insightful and useful.

An organization is looking at an externally-hosted HR application, and the provider uses Java in their own environment. Is it safe to use Java?

John:There’s a lot of different parts of Java: the runtime environment, virtual machines, the browser plug-ins and so on. It can be done safely. It’s a very effective programming language. There’s lots of secure Java development. Unfortunately, there are lots of patches that come out from Oracle on the runtime environment, and Oracle keeps trying to trick people into installing toolbars and various third-party software with the Java updates.

So, ideally, if it was perfect world, we could say, “Yes. Abandon it.” That’d be great. The reality is it’s kind of a usual thing for providers to write applications that run across heterogeneous environments, which increasingly in the mobile world it’s not going to be just Windows, it’s not just going to be just Apple, it’s not going to be just Android. It’s going to be a heterogeneous world. So, typically, the answer is to ask the right questions about the secure development life cycle and admin processes of the provider. Are they doing Java securely? Are they updating things? Are they not using the browser plug-in? Lots of things like that. Chris, you want to weigh in?

Chris:That’s right. In fact, it’s not just about Java. It is really about a third-party provider, and what is the security of their offering. That may mean that you engage with them with a security assessment questionnaire for them to set up and respond to. Maybe they have to present the results of their vulnerability assessment, or their compliance programs to you so you can evaluate and weigh if that vendor is operating correctly. So really it’s more about third party vendor assessment, not necessarily Java, but they are linked together. [It’s] something to really engage with third party vendors in that aspect.

While DevSecOps infers an integrated team, would you recommend abstracting security from development (i.e., there’s security expertise still in app security, expertise in the security organization) or embedding security into the development team?

Chris:The answer is [that] it varies. And it varies depending on the organization, where the skillsets are, where that cultural transformation is happening. That last example I gave you about that financial services provider, they split the app sec task in half, where the easily-mitigated vulnerabilities are done by normal development teams. So a web developer can fix the input validation, can remediate SQL injection security issues.. But the higher order app sec issues, the penetration, supporting a third party open source Bugcrowd type engagement, that may live in the app sec role that’s within security. So at the end of the day, it’s really about driving efficiencies and optimizations, and it may not matter where it lives, but the true security hardcore and policy definition should live within security.

But how can you enable and empower developers and operations people who don’t know about security, don’t have a security background? How can you translate a security issue into a software defect, which they can fix like they fix other functional software defects? That’s where successful DevSecOps integrations come in — to transparently and automatically build security into the DevOps pipeline for developers and operations people to use and get benefit.

John:Whenever I see successful examples of companies that have turned that corner in reducing vulnerabilities, inevitably they’ve invested in integrated education of developers as to what bad coding practices are, from a security point of view, integrated security capabilities into their development environment, development and test environment. So when projects are run through test tools to determine if they should be allowed to check in or advance to the next stage, common security vulnerabilities are looked for and so on. So there’s definitely a level of integration. Just [like] a person who loses weight doesn’t have a dietitian with them all the time, they learn the basic rules of avoiding certain things. But the threats change pretty rapidly, and the security team is the only place we can put the expertise to keep up with that. So I’m all for embedding as much security knowledge into the standard development practices, tools, and environments.

How can we imbue or further imbue a mindset so that security defects are treated as functional defects (i.e., security given the same priorities as a feature, when software is being tested, and so on)?

John:To me that’s back to this embedded part. A lot of the successful success stories in the past are where the security group found a friend in QA, or whatever you call the last step, when someone finally says: “This application is okay to go on production systems.” And then, rather than after that happens, the security team [is] running tools to test and say: “Hey, you’ve got all these vulnerabilities.” That step prior to blessing it for production is the starting point for, quite often, getting security into the same conversation with functional defects or the availability defects, and then working your way upstream from that final step as the QA group starts to reject code and say: “We cannot approve for production, because of these security vulnerabilities.”

[In] the example I used [of the] financial organization that did the email authentication, [the] CISO focused on application security made friends with the VP of app dev, and was able to work their way up, all the way to the beginning of the software development life cycle. Not only did they increase software productivity overall, i.e fewer lines per hour of code, when you counted in rework, [but] they were also able to shorten time to market. Sort of addressing the two big myths: that secure software takes too long and costs too much. Nope. They actually showed increases in productivity, and decreases in time to market because they had gotten the QA organization to be the gatekeeper to say: “Nope. That’s not getting to market with all of these security vulnerabilities.” Just like we wouldn’t let it get to market if it was missing these functions it claims to have. Chris, any expansion?

Chris:That makes perfect sense, and that’s part of the cultural transformation, agree? That security is not the department of “no,” they’re not an adversary to the IT group. To expand beyond that, eventually security defects have to be fixed anyway. Maybe not all of them, but they’ve gotta be fixed anyway in production. And that is a cost and a time that is borne by the IT and the app dev teams.

So if you can help, and educate, and understand that you are going to have to fix this cross-site scripting [flaw] anyway, why not fix it earlier, when it’s two lines of code, and takes you five minutes, and QA can validate it? As opposed to “Oh my gosh, I’m going to have to completely re-architect that component,” and make sure that doesn’t break some other functional stuff because it’s already in production. So when you start to measure the time it takes to fix vulnerabilities in production, and how long it took to fix it in the early part of the DevOps process, it just becomes a win across the board for all groups.

I’m in QA and I was recently moved into the security testing team. What are the key points I should look at when deciding on what security tools we should use?”

John:First off, if you are a Gartner or a Forrester customer, they have great research notes out on the capabilities you should look for. Obviously, Gartner has the Magic Quadrant, but they also have these critical capability notes that give you great guidelines.

See how well the processes integrate with however your development process is. A lot of tools are great for security geeks to use, but when they give out information about where the vulnerability is or recommended fix is, it’s like a different language to developers. So have developers look at the output of the tools that you’re considering.

I’d love there to be the sort of standard crappy piece of software that we could all run these tools against, and then sort of do a false positive, false negative check. A good way is to involve the right people from your development team, run it against some of your typical code, and try to do a sanity check on the false positive side of things. That is the most common complaint from the developers’ side: “Too many of these trouble tickets that you generated here, we look into it and there’s nothing there.”

Chris, you obviously have a conflict of interest here, but what are the key things you see people looking for in choosing tools?

Chris:Yes certainly. Well, John, when you said “some crappy typical software,” unfortunately that list is a mile long, so there’s plenty of opportunity to find some of that. And Qualys is sponsoring this SANS webinar, so I certainly see what we’re doing as a company in this area, and how our offerings are improving what our customers are doing.

But for you, I think in that case it’s fantastic. It is good to see developers move over to security. It is good to see QA people move into security or networking people to go into security, because you understand how the application functions. You know what the positive test cases are, what the negative test cases are, what the happy paths are for these type of things. As you learn about security and apply that security lens to it, then it becomes: “Well, was this feature implemented because [of its] ease of use, but now it opens up a non-authenticated API? That’s not good.” So that domain knowledge is very powerful.

Sometimes it’s hard to take a pure play security person and move it into an IT group, because [sometimes those folks strongly believe that] it is only about security. But it’s good to see you are widening your career there, that you are moving into security. Some of the things we talked about during this webinar would be some early places to start.

Throughout this webinar, you’ve largely been talking about running automated vulnerability scanning type tools. That’s the only thing you’ve talked to. Isn’t there a lot of risk in getting a false sense of security, by relying solely upon automated vulnerability tools to determine if applications are safe or not?

Chris:Yeah, so it’s not solely. You know, this is just the example that we use in here. These customer examples were not only using Qualys, they’re using different tools. But it really comes down to how you can apply a multiplier, an automated capability, to reduce that attack surface. How can you take something, to take the known and obvious 100 percent vulnerabilities off the table. How you can reduce that scope so that ultimately the things that a human needs to look at, [that] a human needs to analyze — maybe do a pen test or do their own manual fuzzing, or their own input validation — it’s less workload for the manual process. So it’s about using tools to automate and extend the human capacity that you can bring into the job, in order to supply and support more business goals that are coming from you, from every corner. John?

John:What I’ll say is first off, a secure development lifecycle is not the old development life cycle, with vulnerability scanning tools jammed in at a couple places. That would still be an improvement over many development lifecycles, but that’s not a secure development lifecycle.

The example that I use is when my kids were little they would to cry at night. My wife would sleep right through it, but I’d wake up and go see why they were crying. Well, that’s because we had a pretty quiet house. Imagine if I had no doors or windows on my house, and there were dogs barking, and all kinds of noise in my house. I’d never be able to get to my kids crying. That’s the same thing in most environments. To run these tools and work off the vulnerabilities these tools will find, that’s the only way to apply the people manpower and peer review teams with security knowledge, real people, or developers that at least know insecurities, so when they do peer review, they can point out problems to lesser skilled developers.

If you can’t get the easy ones out of the way first — and if you look at the breach reports, 99 percent of the time it’s pretty easy vulnerabilities that are getting exploited — you can’t get to the next stage of the higher value human analysis, and unfortunately too often that happens.

]]>https://blog.qualys.com/news/2017/11/08/webcast-qa-devsecops-building-continuous-security-into-it-and-app-infrastructures/feed0Case Study: Cisco Group Bakes Security into Web App Dev Processhttps://blog.qualys.com/technology/2017/11/01/case-study-cisco-group-bakes-security-into-web-app-dev-process
https://blog.qualys.com/technology/2017/11/01/case-study-cisco-group-bakes-security-into-web-app-dev-process#respondWed, 01 Nov 2017 16:00:43 +0000https://blog.qualys.com/?p=24138“To know what is right and not do it is the worst cowardice.”

That phrase was uttered by Confucius 2,500 years ago, but reflects the spirit behind a recent revamp of a Cisco web app development process that made it more effective and secure.

“This is important as we talk about the secure software development lifecycle, because we weren’t doing what we needed to do, even though we knew what was right,” said Robert Martin, security engineer in Cisco’s Government Trust and Technology Services group.

In a nutshell, the process had fallen into a vicious cycle that pleased no one: Little communication between developers and security pros, combined with late vulnerability scans, yielded buggy software that had to be belatedly fixed, leading to missed deployment deadlines.

“We were making the same mistakes over and over again, and we weren’t making any corrections,” Martin said.

Sound familiar? This is a scenario in which countless organizations have found themselves. After years of using a linear, siloed model for creating and releasing software, organizations discover that this approach doesn’t work well in the era of rapid, agile web development and deployment.

To the credit of Martin and his group, they did something about this, instead of simply plodding along and settling for the status quo.

Buggy Apps, Delayed Releases

In the old process, the development team would work on the app with little visibility and attention to security. After completing the app, they would toss it over to the security team for a thorough review, and with a fast-approaching deadline for deployment.

“We were starting at the very end of the lifecycle, playing catch-up,” said Martin, who spoke about his group’s secure software development lifecycle during a Black Hat USA presentation and in a subsequent interview with Qualys.

Inevitably, the security check would reveal multiple vulnerabilities, configuration problems and other issues. “The dev team would come back to us and say: ‘This can’t work. We’re missing deadlines. We’ve got to get this application out,’ ” he said.

But the problems had to be fixed for multiple business, security and compliance reasons.

Robert Martin, security engineer in Cisco’s Government Trust and Technology Services, speaks at Black Hat USA 2017 about his group’s use of Qualys Web Application Scanning

A common theme across them is the call for thorough risk assessments, continuous monitoring, automated vulnerability and configuration scans, prioritized remediation and detailed reports.

Thus, Martin started with a risk assessment of all the web apps in scope, specifically approaching the development team with questions regarding their awareness of and compliance with these standards and regulations.

“Their answers were ‘no’,” he said. “But here’s the part that was failing on our behalf: We weren’t educating them.”

The risk assessments not only served to create the necessary awareness — Martin’s team created a bunch of new internal policies as a result — but also opened up communication channels that didn’t exist before between the security and development teams.

In order to insert security earlier into the development process, Martin’s team gave the developers access to automated security tools that were integrated into the environment. He was pleased to realize that new tools weren’t needed, but rather to make better use of tools they already had, primarily Qualys Web Application Scanning (WAS), which Martin calls the “gold standard” for web application scanning.

Martin’s team trained the developers on Qualys WAS and gave them access to it so they could start scanning throughout the lifecycle.

This created opportunities to flag security problems early and often in the process, which led to increased collaboration and coordination, more meaningful communication between the development and security teams, and on-time app deployments.

It also gave developers a visibility and an accountability into these issues that they didn’t have before, as well as a new willingness to get issues remediated promptly and correctly, with guidance and help from the security team.

With Qualys WAS’ continuous scanning, the security team and the management team were able to see if security issues were being remediated promptly. Qualys WAS is the catalyst that improved the communication between the security, development, and management teams.

“Now they know what we’re up against, they have buy-in, and we’re enabling them to see flaws on their own,” he said.

Overall, security is now embedded into the entire software development lifecycle. “We’re a cohesive part of the team instead of being the security people that always say: ‘No’.”

This improved communication has also given the security team a view not only into current application development projects but also future ones, so conversations now start at that early stage of an app’s planning.

The process has been improved not only for web apps developed in house but also for commercial “off the shelf” (COTS) web apps Cisco buys, which in the past were often deployed before having been scanned for security issues.

Here again, Qualys WAS is being used to scan these COTS apps on a regular schedule. Now these commercial web apps are scanned first in a development environment during the “proof of concept” stage of the buying process. They’re also later scanned prior to being deployed, and then periodically in production to check for newly disclosed vulnerabilities and configuration changes. This enables Cisco to be proactive in remediating security issues. WAS is also part of the vetting process for any new COTS applications under consideration.

The end result: better, more secure and compliant apps, developed more quickly and less expensively, and delivered on time. “We haven’t missed a deployment or launch,” he said.

Cisco also took advantage of the product’s APIs to integrate it into the software development lifecycle. Specifically, Cisco is integrating Qualys WAS via API into its privileged password management solution. This has improved Cisco’s security posture and helped to satisfy controlled unclassified information (CUI) requirements.

Qualys WAS

With Qualys WAS, organizations can find and fix security holes in web apps and APIs through continuous web app discovery and detection of vulnerabilities and misconfigurations. It can insert security into application development and deployment environments. With WAS, organizations test for web app security issues early and often, enhance quality assurance and generate comprehensive reports. Through its tight integration with Qualys Web Application Firewall (WAF), Qualys WAS can also continuously monitor and virtually patch production web applications.

“The great thing about Qualys is that it’s as much into the development part as it is into the security side,” he said.

According to Martin, security should be baked into every product that Cisco supports or uses. By using Qualys to secure their software development lifecycle, Cisco developers are not only kept informed about new web application vulnerabilities, but also on any security issues related to their code. This enables management to track code development issues and provide training and coaching if needed.

A Source of Truth

Qualys WAS not only gave Martin’s team the visibility into web app security it had been lacking, but also what Martin refers to as a critical and fundamental “source of truth.” This means that Qualys WAS provides current and historical data on the security posture of Cisco’s software development lifecycle, Martin said.

By using Qualys WAS coupled with manual testing of web applications, Martin’s team can help assure its end-users and clients that they have continuous visibility of security issues and faster remediation times.